WikiLeaks Posts Mysterious 'Insurance' File

reply to post by Thalon84


ONION and ROUTER are not passwords to this file. You did not "decrypt" anything. Porn movies are not related to this. Please, please God, just take a few moments to read the entire thread.

Any new information on this topic? Did any one managed to hack it?

reply to post by acidrop


To underscore how unlikely cracking this file is in the near future: it's like asking if the sun has died out yet. Eventually, the sun will die, but it will take ages for it to happen.

No one is going to publicly crack this before the data is released by WikiLeaks itself (the NSA has the best shot, and there's no reason for them to let anyone know if they're successful). There is no need to check for updates, because they are not forthcoming. We'll know what's in the file when WikiLeaks releases the key or the data itself and not a second sooner.

I can't believe there are people that have absolutely no knowledge of this who are trying to "crack" the file.



I have to admit, it's pretty entertaining seeing some of the tactics people are using. Their labor isn't completely in vain - it's giving me quite a few chuckles, so at least it's worth something.



[edit on 23-8-2010 by DirtyPete]

i'm a complete loser in this kinda things but i got an theory...

both files from the site* are real, one file is the encrypted version with the real files BUT it's uncrackable without key.
the insurance.256AES
second file**
is an program created to open insurance.256AES by assange himself or with help... so every noob can open this file without problems or linux.

i got this theory because wikileuks never does something "by accident"

both files are fully downloaded without errors...

they are programmers so how difficult is it to make some file open another file (u have to built in an decrypt mode it's not impossible...)

why would they give out an file for everyone to download (and open when needed) if an average user can't open it...

how is it possible to download one full file by accident (under the same name) without wikileaks not knowing, i can't imagine they don't know what file others are downloading from their own servers

*wikileaks
**first file (the "real" one 1,38 gb)
second one (the "fake, bad, whatever) download
from their own site (it was mentioned before somewhere in this tread)
it was a full download (100%)

i don't try to crack it myself because i can't but maybe you can do something with this theory
wikileaks didn't want to answer to my theory.
i thought maybe i would get an sarcastic email like someone else in this tread. so i mailed them my theory, no answer.
so this could be something

reply to post by lucky-guess


What second file is that, I don't understand.

i will read this tread tomorrow again to find the specific post about that file...

i also got that file secured @ some friends but i forgot who... ;-)
burned on cd i only remember it wasn't that big...

I don't think he would add a file that 'auto decrypts' the encrypted file, it would defeat the purpose of 256bit encryption. The only way anything is going to come out of this is either wikileaks releases a redacted version of the diaries (that's my opinion on what the file is), or the key to the file is posted.

yes and no,

as long as nobody knows how the program* works the "256 encryption"
will do the job. (*file 2)

256 encryption is also a theory only because the filename says .256aes it don't have to be .256aes

as long as "the other file" is smaller and have the same name, people won't look at it. they wan't the "real" file

maybe the second file has an extension like: .assange
wich is renamed as .256aes so they only have to give you the right extension. (then the extension is the key and no one will search fot it because they look for something like: 4554ng3P0wn74m3r1c4
(found one: "Downloaded it but it says it's finished at 614MB... someone cutting downloads off somewhere along the way ?")
this was on page 7 in this tread but i'm sure it was mentioned a couple of times i only don't want to read this whole topic again...

until you get the second file working the "256bit encrypion" will do the job.

yes it is unlikely that i'm right, but nothing is sure about this file.
not even the size, you can make a file as big as you (resize software is often used for trojans and virusses)

but i don't know i'm just guessing...
i think that if you look straight at the file you won't find a thing.

reply to post by lucky-guess


What's that second file that you keep talking about?

Edit: on Wikileaks page, the last Tweet says:

Tue, 24 Aug 2010 21:53:03 wikileaks: WikiLeaks to release CIA paper tomorrow.

I don't know if it's related to this or not.

[edit on 25/8/2010 by ArMaP]

Ok, I've dug a little deeper into WL.
Mods: DNS records are in public domain, available to anyone by design if not configured otherwise.
Trivia: Wikileaks is hosted by prq.se.

dig prq.se @ns2.prq.se axfr

prq.se. 10800 IN SOA ns.prq.se. registry.prq.se. 2010072201 7200 3600 604800 3600
prq.se. 10800 IN A 88.80.30.4
prq.se. 10800 IN MX 0 smtp.prq.se.
prq.se. 10800 IN NS ns.prq.se.
prq.se. 10800 IN NS ns2.prq.se.
admin.prq.se. 10800 IN A 193.104.214.10
alphonse.prq.se. 10800 IN A 88.80.8.7
capsaicin.prq.se. 3600 IN A 88.80.5.2
dns.prq.se. 10800 IN A 88.80.8.8
dns1.prq.se. 3600 IN A 88.80.30.6
dummyns.prq.se. 10800 IN A 127.0.0.1
eduardo.prq.se. 10800 IN A 88.80.6.23
efnet.prq.se. 3600 IN A 88.80.5.41
forum.prq.se. 10800 IN CNAME web01.prq.se.
imap.prq.se. 10800 IN A 88.80.30.3
ip.prq.se. 10800 IN CNAME web01.prq.se.
irc.prq.se. 3600 IN A 88.80.5.41
kundcenter.prq.se. 10800 IN A 193.104.214.11
mail.prq.se. 10800 IN A 88.80.30.3
mail01.prq.se. 10800 IN A 88.80.30.3
molly.prq.se. 3600 IN A 88.80.0.98
mysql.prq.se. 10800 IN A 88.80.30.48
ns.prq.se. 10800 IN A 193.104.214.194
ns2.prq.se. 10800 IN A 88.80.30.194
pop3.prq.se. 10800 IN A 88.80.30.3
relay.prq.se. 10800 IN A 88.80.30.3
shell.prq.se. 10800 IN A 88.80.30.5
shell.prq.se. 10800 IN AAAA 2a00:16b0:1:1::30:5
smtp.prq.se. 10800 IN A 88.80.30.3
sql01.prq.se. 10800 IN A 88.80.30.4
temp.prq.se. 10800 IN A 88.80.30.4
tunnel.prq.se. 10800 IN A 88.80.30.2
tunnel2.prq.se. 10800 IN A 88.80.30.7
tunnel3.prq.se. 10800 IN A 88.80.30.8
tunnel4.prq.se. 10800 IN A 88.80.30.9
no-default-gw-on-swepipe-client-net.vlan667.prq.se. 3600 IN A 192.16.137.1
judas.vpn.prq.se. 3600 IN A 88.80.11.83
web01.prq.se. 10800 IN A 88.80.30.4
webmail.prq.se. 3600 IN A 88.80.30.62
webstats.prq.se. 10800 IN CNAME web01.prq.se.
www.prq.se. 10800 IN CNAME web01.prq.se.
prq.se. 10800 IN SOA ns.prq.se. registry.prq.se. 2010072201 7200 3600 604800 3600

Here is a wikipedia article about them.
It implies that KavkazCenter is no longer hosted there, that's false. See Ip addresses + NS rec:

dig @ns2.prq.se kavkazcenter.net axfr

kavkazcenter.net. 38400 IN SOA ns2.kavkaznews.com. admin.kavkaznews.com. 1041048462 10800 3600 604800 38400
kavkazcenter.net. 38400 IN NS ns1.kavkaznews.com.
kavkazcenter.net. 38400 IN NS ns2.prq.se.
kavkazcenter.net. 38400 IN NS ns2.kavkaznews.com.
kavkazcenter.net. 38400 IN A 88.80.5.157
pda.kavkazcenter.net. 38400 IN A 88.80.5.157
radio.kavkazcenter.net. 38400 IN A 80.81.183.151
wap.kavkazcenter.net. 38400 IN A 88.80.5.157
www.kavkazcenter.net. 38400 IN A 88.80.5.157
kavkazcenter.net. 38400 IN SOA ns2.kavkaznews.com. admin.kavkaznews.com. 1041048462 10800 3600 604800 38400

The funny thing about prq.se is it's apparently ran by the same people as i2b.se.
Dns dump gives similar structure and see admin.i2b.se..
To be continued..

i2b.se:

dig @ns2.prq.se i2b.se axfr

i2b.se. 10800 IN SOA ns.i2b.se. registry.i2b.se. 2010082301 7200 3600 604800 3600
i2b.se. 10800 IN A 88.80.30.4
i2b.se. 10800 IN MX 10 mail.i2b.se.
i2b.se. 10800 IN NS ns.i2b.se.
i2b.se. 10800 IN NS ns2.i2b.se.
admin.i2b.se. 10800 IN A 193.104.214.50
imap.i2b.se. 10800 IN A 178.16.223.68
nom.nom.nom.internet.i2b.se. 10800 IN A 88.80.0.95
kundcenter.i2b.se. 10800 IN A 193.104.214.51
lg.i2b.se. 10800 IN A 178.16.212.18
lg.i2b.se. 10800 IN AAAA 2a00:1c20::46:8:1:2
mail.i2b.se. 10800 IN A 88.80.16.189
mail01.i2b.se. 10800 IN A 88.80.16.189
mysql.i2b.se. 10800 IN A 178.16.223.73
ns.i2b.se. 10800 IN A 193.104.214.254
ns2.i2b.se. 10800 IN A 88.80.30.254
pop3.i2b.se. 10800 IN A 178.16.223.67
relay.i2b.se. 10800 IN A 178.16.223.72
se-sth-cty1-crdn-1.i2b.se. 10800 IN A 178.16.208.228
se-sth-cty1-crdn-1.i2b.se. 10800 IN AAAA 2a00:1c20::46:8:0:4
se-sth-kst1-crdn-1.i2b.se. 10800 IN A 178.16.208.225
se-sth-kst1-crdn-1.i2b.se. 10800 IN AAAA 2a00:1c20::46:8:0:1
se-sth-sln1-crdn-1.i2b.se. 10800 IN A 178.16.208.226
se-sth-sln1-crdn-1.i2b.se. 10800 IN AAAA 2a00:1c20::46:8:0:2
se-sth-sod1-crdn-1.i2b.se. 10800 IN A 178.16.208.227
se-sth-sod1-crdn-1.i2b.se. 10800 IN AAAA 2a00:1c20::46:8:0:3
smtp.i2b.se. 10800 IN A 178.16.223.69
sql01.i2b.se. 10800 IN A 178.16.223.73
STH-CTY1-CRDN-1.i2b.se. 10800 IN A 178.16.208.254
STH-KST1-CRDN-1.i2b.se. 10800 IN A 178.16.208.225
STH-SLN1-CRDN-1.i2b.se. 10800 IN A 178.16.208.226
STH-SOD1-CRDN-1.i2b.se. 10800 IN A 178.16.208.227
web01.i2b.se. 10800 IN A 178.16.223.71
webmail.i2b.se. 10800 IN A 178.16.223.70
wm.i2b.se. 10800 IN A 88.80.16.189
wo.i2b.se. 10800 IN A 88.80.16.189
www.i2b.se. 10800 IN CNAME web01.prq.se.
i2b.se. 10800 IN SOA ns.i2b.se. registry.i2b.se. 2010082301 7200 3600 604800 3600

Here is the nambla (nsfw or home) they host:

dig @ns1.aldns.org nambla.org ixfr=0

nambla.org. 300 IN SOA ns1.aldns.org. info.nambla.org. 2008110602 600 300 604800 300
nambla.org. 300 IN NS ns1.aldns.org.
nambla.org. 300 IN NS ns2.aldns.org.
nambla.org. 300 IN A 88.80.6.210
nambla.org. 300 IN MX 20 courriel.marmotmail.com.
mail.nambla.org. 300 IN A 85.17.36.172
www.nambla.org. 300 IN A 88.80.6.210
nambla.org. 300 IN SOA ns1.aldns.org. info.nambla.org. 2008110602 600 300 604800 300

Apparently Piratbyran.org uses only their NS.

Now, back to wikileaks.. They don't use prq NS, but do use their colocation and/or servers:

host -a __._
..
;; ANSWER SECTION:
__._. 835 IN MX 0 mail.__._.
__._. 835 IN A 88.80.17.21
__._. 835 IN A 88.80.17.18
__._. 28855 IN NS ns1.everydns.net.
__._. 28855 IN NS ns2.everydns.net.
__._. 28855 IN NS ns3.everydns.net.
__._. 28855 IN NS ns4.everydns.net.
..

Those NS servers are closed for AXFR/IXFR requests. So, yeah, ex hacker running the show knows what he's doing.. to some extent.

However, if you take a look at prq's servers... Well, frankly even a script kiddie could hack in, let alone the Pentagon...

The point where WL makes a splash is that the submissions are anonymous..
Yeah, they are if you're trying to break ssl.

$ host sunshinepress.org
sunshinepress.org has address 88.80.2.32
sunshinepress.org mail is handled by 0 mail.__._.

But not if you just simply look at the size of the submission.

reply to post by ArMaP


I downloaded the insurace file two times, the first on was 219mb, the second one was 1,45 gig.

Those two both came from their site, and both downloaded fully.
The filesize of the file on their server changed.

reply to post by locster


That's because the download failed.

If you still have both files (which I doubt) you can see if the smaller is the same as the initial part of the complete file.

That's why they have the SHA1 ash, for people to confirm that they got the complete file.

@armap then there are a lot of diffrent files but why would they do that ?

hmmmm....
or there are diffrent types files given out by wikileaks
or someone is trying to get out a fake file wich can contain everything

if there are diffrent types given by wikileaks than i can think of two things
or one is the key and another "the safe" with files like i mentioned before.

there are multiple incurance files, if one gets opened by accident than you got another...
so it's impossible to lose the insurance by accident.

i don't know i think that these files are made a long time ago as insurance and now nessecary, assange is a smart person who thinks maybe 100 steps ahead

little edit: if there is a download screen that says 100% than a download is completed (correct me if i'm wrong...)

[edit on 25-8-2010 by lucky-guess]

reply to post by lucky-guess


there are only 2 official reliable places to download the file from ...

thepiratebay.org...

leakmirror....__._/file/straw-glass-and-bottle/insurance.aes256

a lot of people seem to have received an incomplete file from the second link - download it from the piratebay link.

Originally posted by lucky-guess
@armap then there are a lot of diffrent files but why would they do that ?

No, but there are a lot of people with incomplete downloads.

All the (3) times I tried I got the same file.

little edit: if there is a download screen that says 100% than a download is completed (correct me if i'm wrong...)

It depends on the program used to make the download and on the download method.

I have seen several times that happening, a download being interrupted but the program making the download "thinking" that all was fine.

That's why many sites (like Wikileaks) publish also a ash to confirm that the file was correctly downloaded.

Oh, there was once a WikiLeaks thread
That simply would not turn up dead
Each morn when I logged in
Someone posted again
Without getting what had been said.



1) There is only one Afghan War Diary "insurance" file released by WikiLeaks. One. Not two, not forty, not three thousand. Just one. It has a SHA1 hash of cce54d3a8af370213d23fcbfe8cddc8619a0734c. Any file that doesn't match that hash is not the insurance file that we're talking about or is an incompletely downloaded version of that file.

2) Just because something says "100%" doesn't necessarily mean that it is, just that the software thinks so. While you can generally rely on it to be correct (assuming that the software was well developed and tested), that doesn't mean it always will be, especially when a significant amount of data is being downloaded. As ArMaP noted, this is why hashes are typically provided. Once one has downloaded the insurance file, one should be able to generate a hash from it (using whatever software is available for his or her operating system to do checksum calculation). If the hash does not match cce54d3a8af370213d23fcbfe8cddc8619a0734c, then the file is NOT the one that WikiLeaks released.


[edit on 25-8-2010 by bikeshedding]

I think based on the CIA paper, (size) - that the file is not just the diaries, I think it's everything Wikileaks were holding at the time.